8000 [WebProfiler] Do not add src-elem CSP directives if they do not exist · symfony/symfony@ba610e4 · GitHub
[go: up one dir, main page]
Skip to content

Commit ba610e4

Browse files
ndenchndench
committed
[WebProfiler] Do not add src-elem CSP directives if they do not exist
1 parent a5ae434 commit ba610e4

File tree

2 files changed

+25
-10
lines changed

2 files changed

+25
-10
lines changed

src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php

Lines changed: 17 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -129,12 +129,13 @@ private function updateCspHeaders(Response $response, array $nonces = []): array
129129
continue;
130130
}
131131
if (!isset($headers[$header][$type])) {
132-
if (isset($headers[$header]['default-src'])) {
133-
$headers[$header][$type] = $headers[$header]['default-src'];
134-
} else {
135-
// If there is no script-src/style-src and no default-src, no additional rules required.
132+
$fallback = $this->getDirectiveFallback($directives, $type);
133+
if (null === $fallback) {
134+
// If there is no directive and no fallback, no additional rules required.
136135
continue;
137136
}
137+
138+
$headers[$header][$type] = $fallback;
138139
}
139140
$ruleIsSet = true;
140141
if (!\in_array('\'unsafe-inline\'', $headers[$header][$type], true)) {
@@ -197,11 +198,8 @@ private function parseDirectives(string $header): array
197198
*/
198199
private function authorizesInline(array $directivesSet, string $type): bool
199200
{
200-
if (isset($directivesSet[$type])) {
201-
$directives = $directivesSet[$type];
202-
} elseif (isset($directivesSet['default-src'])) {
203-
$directives = $directivesSet['default-src'];
204-
} else {
201+
$directives = $directivesSet[$type] ?? $this->getDirectiveFallback($directivesSet, $type);
202+
if (null === $directives) {
205203
return false;
206204
}
207205

@@ -225,6 +223,16 @@ private function hasHashOrNonce(array $directives): bool
225223
return false;
226224
}
227225

226+
private function getDirectiveFallback(array $directiveSet, string $type): ?array
227+
{
228+
if (\in_array($type, ['script-src-elem', 'style-src-elem'], true)) {
229+
// Let the browser fallback on it's own
230+
return null;
231+
}
232+
233+
return $directiveSet['default-src'] ?? null;
234+
}
235+
228236
/**
229237
* Retrieves the Content-Security-Policy headers (either X-Content-Security-Policy or Content-Security-Policy) from
230238
* a response.

src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -131,7 +131,14 @@ public function provideRequestAndResponsesForOnKernelResponse()
131131
['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
132132
$this->createRequest(),
133133
$this->createResponse(['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'']),
134-
['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src-elem \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src-elem \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
134+
['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
135+
],
136+
[
137+
$nonce,
138+
['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
139+
$this->createRequest(),
140+
$this->createResponse(['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\'']),
141+
['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
135142
],
136143
[
137144
$nonce,

0 commit comments

Comments
 (0)
0